ClearBlue
Public Types | Public Member Functions | Friends
Vulnerability Class Referenceabstract
Inheritance diagram for Vulnerability:
Inheritance graph
[legend]

Public Types

enum  SiteType { ST_Return = 1 << 0, ST_Call = 1 << 1, ST_Sink = 1 << 2, ST_Others = 1 << 3 }
 
enum  VulnerabilityCategoryType {
  VCT_Begin, VCT_SinkMustReach, VCT_SinkMustNotReach, VCT_Taint,
  VCT_End
}
 
typedef std::pair< const SEGOperandNode *, const SEGSiteBase * > ValueSitePairType
 

Public Member Functions

virtual void setSources (const SymbolicExprGraph *SEG, std::vector< ValueSitePairType > &Sources)=0
 
virtual void setPrerequisites (SymbolicExprGraphSolver *Solver, const SEGSiteBase *CurrSite, const VulnerabilityTraceBuilder &TraceHistory, SMTExprVec &Prerequisites)=0
 
virtual bool checkNode (const SEGNodeBase *CurrNode, const VulnerabilityTraceBuilder &TraceHistory)
 
virtual bool finalCheck (const VulnerabilityTraceBuilder &TraceHistory)
 
virtual void ConstantCheck (const SymbolicExprGraph *SEG, std::list< shared_ptr< VulnerabilityTrace >> &AllTraces)
 
virtual bool isFlowInsensitive ()
 
virtual SiteType checkSite (const SEGSiteBase *CurrSite, const VulnerabilityTraceBuilder &TraceHistory)=0
 
virtual bool checkTrace (std::shared_ptr< VulnerabilityTrace > &Trace)
 
VulnerabilityCategoryType getCategoryType () const
 
bool isParasitical () const
 
void setParasitical (bool B)
 
const char * getDescription ()
 Return the description of the vulnerability.
 
BugDescription::BugImportance getImportance () const
 
BugDescription::BugClassification getClassification () const
 
const char * getName ()
 Return the name of the vulnerability.
 
virtual PSAReportDecoratorDefault * allocNewDecorator ()
 
virtual void destroyDecorator (PSAReportDecoratorDefault *decorator)
 
virtual void getAnalysisUsage (AnalysisUsage &AU)
 
virtual void initializeAnalysis (Pass *P)
 

Friends

class SinkMustReachVulnerability
 
class SinkMustNotReachVulnerability
 
class TaintStyleVulnerability
 
class SrcMustNotReachSinkVulnerability
 
class SrcMustReachSinkVulnerability
 
class SailFishVulnerability
 

Member Typedef Documentation

◆ ValueSitePairType

typedef std::pair<const SEGOperandNode *, const SEGSiteBase *> Vulnerability::ValueSitePairType

This type describes a value is used or defined at some site. For a constant value that does not need to be defined, use nullptr as the definition site.

Member Enumeration Documentation

◆ SiteType

The type of a use site for a vulnerability Others: an insensitive use site Return: the use site is a return inst Call: the use site is a call inst Sink: the use site is the sink of the source-sink style vulnerability

For a call site (or return site), if you regard it as a sink of a vulnerability, you should mark it as ST_Sink. If you expect to continue inter-procedural analysis from the call site (or return site), it should be marked as ST_Call (or ST_Return). If both, return ST_Call (or ST_Return) | ST_Sink.

◆ VulnerabilityCategoryType

It describes the types of source-sink style vulnerability.

VCT_SinkMustReach: given a fresh value as source, if there exist some path, the source does not reach a sink, it will be a vulnerability. Here a fresh value includes constant value, the return value of a library call or an alloca instruction, etc.

VCT_SinkMustNotReach: given a fresh value as source, if the source reaches a sink along certain path, it will be considered as a vulnerability.

VCT_Taint: It is similar to VCT_SinkMustNotReach, but the source is not required as a fresh value. Besides, if a pointer, e.g. ptr, is regarded as a source, *ptr will also be regarded as a source.

Member Function Documentation

◆ checkNode()

virtual bool Vulnerability::checkNode ( const SEGNodeBase CurrNode,
const VulnerabilityTraceBuilder &  TraceHistory 
)
inlinevirtual

Checking if the node CurrNode can flow to a sink site along the value flow.

TraceHistory represents the trace history just before reaching CurrNode.

Users can implement some analysis, which can be loaded using Vulnerability::getAnalysisUsage and Vulnerability::initializeAnalysis, to help check if some nodes cannot trigger the vulnerability so that the checking process can speed up.

◆ checkSite()

virtual SiteType Vulnerability::checkSite ( const SEGSiteBase CurrSite,
const VulnerabilityTraceBuilder &  TraceHistory 
)
pure virtual

Checking the type of CurrSite, given the trace history TraceHistory, which represents the trace just before reaching CurrSite.

Implemented in SailFishVulnerability.

◆ checkTrace()

virtual bool Vulnerability::checkTrace ( std::shared_ptr< VulnerabilityTrace > &  Trace)
inlinevirtual

Checking each node of the whole possibly vulnerable trace Trace to verify if the source to sink is valid.

◆ ConstantCheck()

virtual void Vulnerability::ConstantCheck ( const SymbolicExprGraph SEG,
std::list< shared_ptr< VulnerabilityTrace >> &  AllTraces 
)
inlinevirtual

Used to handle non-pointer type global variables. PSAChecker doesn't regard non-pointer type global variables as source or sink. Therefore, this API is used to handle global variables. And also this should be the handling of constants, such as 1,2,3,0x1234567,&g, etc. , not simply GVs, We check the function based the argument SEG. Then construct vulnerability traces and add them to argument ALLTraces.

◆ finalCheck()

virtual bool Vulnerability::finalCheck ( const VulnerabilityTraceBuilder &  TraceHistory)
inlinevirtual

given a final trace, check whether the trace itself meet additional requirement. e.g., in data race checker: itReturn MHP relation if the vulnerability is a concurrent problem. Return true otherwise.

◆ getAnalysisUsage()

virtual void Vulnerability::getAnalysisUsage ( AnalysisUsage &  AU)
inlinevirtual

LLVM Analysis can be declared here.

Using AnalysisUsage::addRequired() to declare what analysis will be used. All required analysis is preserved in default. Extra AnalysisUsage::addPreserved() or AnalysisUsage::setPreservesAll() are not necessary.

◆ initializeAnalysis()

virtual void Vulnerability::initializeAnalysis ( Pass *  P)
inlinevirtual

Initializing the analysis here using P. You can declare a class member field, e.g.,

AnalysisClassName* A = nullptr;

and in the function, you can initialize it as

A = &P->getAnalysis<AnalysisClassName>();

◆ isFlowInsensitive()

virtual bool Vulnerability::isFlowInsensitive ( )
inlinevirtual

This is used to handle vulnerabilities do not require reachability info in TaintFunctionChecker. However, we should check reachability in concrete checkers (e.g., DataRace) unless the vulnerability is not flow insensitive. In fact, this function only returns true or false to ignore the result of Parent->CRA->isReachable. e.g., data race checker set all write as source and read/write as sink, then write/read pair should not use reachability info, otherwise may be half of them are ignored.

◆ isParasitical()

bool Vulnerability::isParasitical ( ) const
inline

It returns true if the vulnerability cannot exist independently. In other words, it must exist in a multi-vulnerability.

◆ setPrerequisites()

virtual void Vulnerability::setPrerequisites ( SymbolicExprGraphSolver Solver,
const SEGSiteBase CurrSite,
const VulnerabilityTraceBuilder &  TraceHistory,
SMTExprVec &  Prerequisites 
)
pure virtual

This function defines the prerequisite of this vulnerability, given the trace history and current use site.

For example, for Null Pointer Dereference, the prerequisite is the dereference pointer should be nullptr, otherwise Null Pointer Dereference cannot happen. Thus, this function should add Solver->getOrInsertExpr(TraceHistory.recentObjAs<SEGNodeBase>()) == 0 to Prerequisites; here, nullptr is modeled as 0.

Users can implement an empty function, if there is no prerequisite.

Implemented in SailFishVulnerability.

◆ setSources()

virtual void Vulnerability::setSources ( const SymbolicExprGraph SEG,
std::vector< ValueSitePairType > &  Sources 
)
pure virtual

Collecting a list of source nodes and corresponding source sites If the source site is null, it means it starts at the very beginning of the function.

Users should override the function, and collecting sources into Sources

Implemented in SailFishVulnerability.


The documentation for this class was generated from the following file: